Microsoft’s Take on UEFI May Impede Linux (and that’s being polite)

Recent revelations about the way that Windows 8 will make use of UEFI, the next generation PC BIOS, have caused speculation that this may cause problems for people wanting to install Linux. Potentially, this could cause the PC to switch away from its historic position as the standard bearer for open platforms.

The next version of Windows, Windows 8, may only run on a PC that features the UEFI BIOS. The snag is that it will probably make use of the “secure booting” feature of UEFI which prevents unsigned operating systems from booting on the hardware. The maker of the computer can install a certificate into the firmware on the motherboard, and consequently, only signed boot loaders (and possibly kernels and drivers and even applications) can then run on the machine. Software vendors such as Microsoft must send their code away to the manufacture of the computer to be signed so that it will run.

In other words, the PC will undergo a historic change, from the consummate open platform to a closed one. This also means that Linux wont boot on future PCs unless the motherboard manufacturer takes the time to certify each version of the boot loader and possibly each distro or even every kernel. It also seems that compliance with this system may be incompatible with licenses such as GPL 3.

To digress for a moment, it’s worth considering a software environment that may voluntarily go down this path, Mac OS X, as its users could be willing to accept a change in the balance between freedom for security. It’s quite possible that a future version of Mac OS will only allow software installation via the app store, and furthermore, it might become impossible to run a binary that has not been signed and approved by Apple itself. Apple itself would probably not be too bothered that its hardware would be inaccessible to other operating systems.

By contrast, Linux is a broad church. Part of what makes Linux so great is that you can do anything you like with it. You can install it where you like and modify it so that it meets your needs. What we’re facing is a potential future in which ex-corporate PCs, for example, may well be tied to a specific version of Windows and absolutely nothing else will run.

Unsurprisingly, Microsoft employees have attempted to play down the undesirable ramifications of what may happen. In a post entitled “Protecting the pre-OS environment with UEFI”, Microsoft blogger Steven Sinofsky says:

“The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available.”

Over the course of the post, he summarizes some of the advantages offered by the new system, namely increased security and faster booting, while also downplaying the barrier to alternative OS installation. In defense of the new policy, he claims that end-users will be able to disable secure booting on a UEFI equipped PC. This may be true, to an extent. However, it will be up to the hardware vendor to decide whether or not leave this option intact. I for one have often encountered PCs that exhibit a curtailed set of BIOS start up options. How long before it becomes a element of standard corporate IT policy that secure boot must be enabled?

Workarounds in the form of altering a jumper on the motherboard, selecting an option in the BIOS or even running an exploit to jail-break the machine are all barriers to Linux adoption.

There has also been some speculation on the subject of who will provide resistance to the adoption of the secure boot environment that Windows 8 will rely on.

How about techs? It’s worth remembering that a lot of technically minded people who work for large companies are fans of Linux. Yet, the Linux intrusion onto company desktops remains nascent, years after it reached sufficient maturity to take on Windows in that role. In the server room, the techs will be allowed to disable secure booting and will probably specify Linux compatible hardware if they run Linux, side stepping the problem. Overall, it’s doubtful that the “nerds in jumpers” will be a sufficient force to prevent Microsoft (let’s be honest here) doing a number on the computer industry.

It’s also possible that the hardware manufacturers will revolt against Microsoft’s plan to “accidentally” lock out alternatives to their product. However, one has to wonder how persuasive the wishes of less than 5% the potential user base will prove. Also, bear in mind that the manufacturers have an incentive to go along with secure boot as it has the potential to turn hardware that is no longer supported by Microsoft into a doorstop, thus encouraging sales of new hardware.

Activists in the fields of poverty alleviation and recycling ought to be on our side, but it’s not clear that many of them will understand the technical issues to a sufficient extent. In the future, Microsoft may well create a version of Windows that only runs for 12 months, unless the customer is willing to pay a new subscription fee. That’s a lot of land-fill and a lot of potential users deprived of a cheap or free computer setup.

So, in summary, whatever level of extra security is foisted onto the computer industry by Microsoft’s latest decision, it looks like it will fly in the face of the freedom that makes alternative operating systems like Linux as great as they are.

Jake Edge pointed out a lot of these problems earlier in the year in this excellent LWN.net post.

Microsoft won't be able to stop open platforms, especially since Linux has a death grip on a vast audience. Linux based smartphones currently dominate the market, I mean when was the last time you saw anybody using a Windows phone? TomTom GPS units and a large number of tablets also have Linux at their core. All ranting aside though, I think its hilarious when you really think about how futile it is when some teenager is gonna have the whole thing hacked and bypassed in less than a week of it coming out.

My concern is about the future of coding. If the industry continues along the 'walled garden' path it will become increasingly difficult for future software engineers to develop the necessary skills for the next evolutionary phase.

With most contemporary machines storing their BIOS in Flash ROM, even if there isn't a switch in the UEFI startup configuration menu to allow unsigned operating systems to load, it would just be a matter of time before some enterprising hackers figure out a way to modify the code and provide patch programs to change the BIOS, just like BIOS upgrades are done now, so that "unsigned" systems such as Linux, DOS and old versions of Windows could still run. Since PC manufacturers tend to get their BIOS from a third party these days (Phoenix, AMI, etc.), the BIOS vendors may do this on their own as an additional revenue source. Most users never worry about BIOS upgrades, never perform them, and aren't even aware that it is possible. Some of my machines are relatively ancient and have received more than one BIOS patch via floppy disk or bootable CD-ROM.

Another thing to consider is that no operating system is infallible. In the last 15 years, most of the news about worms and viruses has involved operating systems from Microsoft. What if 99% of the computer users in the world were herded into using UEFI-based machines with "secure" signed operating systems from Microsoft, and some clever person figured out a way to compromise those systems with a scheme like the Stuxnet computer virus? I'll take a diversity of unsigned, seemingly less-secure operating systems any day, as it's unlikely that a scheme can be devised to take them all down. Just like biodiversity allows life to thrive on Earth, operating system diversity protects computers from attack. It's natural law.

It seems to me that people are possibly starting to panic about the technology for no reason. UEFI is a good thing for many reasons and it has been implemented in many products for a few years now. It is the logical next step to replace BIOS with UEFI or a similar standard. It's the UEFI + "secure boot" proposition by Microsoft that's making some people nervous but in reality that technology is only going to be a problem if (a) motherboard manufacturers provide no way to turn it off and (b) legislators make it illegal to circumvent the technology. It is unlikely the Asian-based motherboard manufacturers will intentionally restrict the use of their hardware for no reason as it would just lead to reduced sales. More of a problem would be if companies with a vested interest (i.e. Microsoft) were able to convince the governments of the world to make it unlawful to operate a computer without using the "secure boot" feature of UEFI. While it IS likely MS would try that tactic using some DCMA-style law covering circumvention of "secure boot" if such a law existed, fortunately such a law would be invalid since running a so-called 'insecure' operating system is not in itself illegal (unlike copyright infringement, which is what the DMCA was designed to protect). MS would never lobby to introduce a law banning insecure operating systems as they would be shooting themselves in the foot, so I don't think we have anything to worry about with "secure boot" just yet. Furthermore without such laws there would be nothing stopping users from "jailbreaking" their motherboards if necessary.

In summary I don't think we need to be concerned about the technology, we should be more concerned about the possibility of governments legislating for/against the use of ANY form of technology that unfairly favours particular commercial (or government) entities over individual personal freedoms.

Suppose the worst case scenario. Hardware manufacturers build a BIOS directly into the processor chips that cannot be modified by hackers (who have managed to get into almost anything so far) and so only Windows can be installed. No manufacturer sells motherboards other than these locked down ones. Some open hardware enthusiast will put together a motherboard that will run Linux. They exist now for ARM (and other lesser) processors but mainly for embedded applications. These will be offered in the usual way - schematic diagrams and kits and even built up boards for a nominal fee to cover costs, or even to make a few dollars. The opensource/hardware following is too strong willed to allow M$ to get away with such a thing. Sure it will be a challenge but isn't that what motivates us?

Microsoft will send their UEFI data to computer manufactures, and then those manufacturers will decide what they want to include for boot loaders, kernels, and other OSes. This will be just like back in the early 90s when ... Ooops, I'm wrong. Now the "Findings of Fact" from the US DoJ vs. Microsoft case come back to me. Some of the >400 findings, many actually, had to do with Microsoft threatening to not sell Windows to computer vendors unless those computer vendors prevented competitors of Microsoft from competing. Microsoft also did this against major internet providers. For those who haven't heard of this case, that's because it was too complicated for most people to follow, and the media portrayed it as Microsoft refusing to remove their IE icon from the desktop, which was hardly part of the case at all. Of course, Microsoft was found guilty. That should be enough to prevent Microsoft from trying the same or similar coercion tactics related to UEFI this time around. The stiff penalty of "Please don't do that again. Oh, nevermind" that they got when the next administration's DoJ got control of the case.

Sarcasm aside, the only hope we have of less (I didn't write "no") trouble will be if large motherboard manufacturers see Microsoft related business as part of, rather than all of, their profit stream. Likewise for companies that sell a lot into countries not as tied to Windows as the US. Hmm, I suppose that means that a number of Linux users might end up buying Chinese motherboards. At least those motherboards won't contain any Trojans ... I guess that's another discussion.

They don't care about Linux users, in fact they hate them.
They particularly hate home users trying Linux out - hence this move.
If they cared one iota, as a company, about security, they could have changed the way Windows works at any point over the last 15 years. They haven't though. Mostly they just abuse the legal process when anyone tries to sue them (who can afford to spend years awaiting Microsoft to actually get into the Court room?).

Even a cursory glance at the cables that have been published over at techrights (from the wikileak cables) will tell you that the US Government is firmly behind Microsoft. So you're not taking on Microsoft, you're taking on the American Government with all its croneyism and corruption as well.

Put simply - against such a Company, few have any chance of fairness, redress or a legal solution.

So, this boot issue is aimed firmly at Home Users - to discourage them from trying Linux.
Servers will remain open to whatever OS is desired, for the moment.
For us Linux users, first there wil be 'build it yourself' solutions, followed by legacy hardware, followed by a choice between one of 3 totally locked down, proprietary OS's or sign off and go do something else entirely.

The US Government isn't behind Microsoft in fact I saw just yesterday an article online where the FBI was explaining how they created a special version of Linux that they use. Also, It was the American Government that stopped them from their crap they were trying to pull on Apple years ago. Also, many governments around the world use Linux. Russia made it a law where all government offices must use Linux and offer training for it, so It would seem to me that no matter what Microsoft wants/tries they wont succeed in crushing the Linux community, we're here and we're here to stay!

...and the "Evangelism is WAR!" paper that Microsoft wrote. The target was in fact GNU GPL'd software such as GNU/Linux. And unfortunately, yes, US Gov't. officials are in Microsoft's back pocket, shortly after the company started contributing heavily to both Democratic and Republican political campaigns after Judge Jackson's judgment against it in 1998 (they hadn't really played that game before then). Microsoft executives have admitted this publicly. The company has gotten ambassadors in Europe to lobby the EU to, and I quote, "be nicer to Microsoft." A bunch of Representatives in the House signed onto a letter opposing any EU action against Microsoft. "Payola" is alive and well, and MS has become very good at it.

BTW, it wasn't the FBI, but rather the NSA, that created that special version of Linux. It's called "SELinux", and Microsoft complained loudly and bitterly that the NSA used something GPL'd (i. e. not Microsoft) for their "security experiment" and started calling legislators. Notice the NSA hasn't done anything like that again! Hmmmm.....

Then, in 2005, they lobbied very hard against the OpenDocument formats in Massachusetts when then-Gov. Mitt Romney signed off on CIO Peter Quinn's move to make OpenDocument the state standard. MS could've easily supported OpenDocument in MS Office--*easily*. But nope; they wanted their patent-encumbered Uh-Oh-XML format to be "the one". They did a larger version of it again at the ISO.

Read the Halloween documents to find out how MS executives feel about truly open standards, or the GPL. Then, read the "Evangelism is WAR!" document. Seriously. Read them. Then you'll understand better what we're up against. I know; I used to work for them.

It looks like the NSA is still, kind of working on it, with the "we will not confirm or deny" stance on it the a$#! But it works.

I highly doubt that manufactuers like Acer, Asus, Gigabyte, Tyan, and Intel would bow down to MS and not put a switch in the BIOS/UEFI settings to allow non signed OS's.

I for one am not worried; like someone else posted; how long will it take some hacker to write a virus that cripples the certifcate checks for the OS; or even better yet alters the current OS signature and causes your computer to just keep rebooting, shutdown, or throw a BIOS error. Doesn't take alot of code to do this and with the never ending storm of viruses/spyware/malware it's bound to happen if this were to go through...

If this were to happen I believe I would have an endless supply of work... fixing viruses that have crippled a couple of certs/signatures that have now left a windows PC crippled. Leave it to Microsoft to add a potential security vulneribility to there systems ( the possiblity of not being able to boot into the OS ). :)

As a Unix/Linux contractor, I see server rooms with more or less equal distribution of Windows and Linux servers running on identical hardware. When we upgrade to new hardware we buy "one size fits all" with backwards compatibility also in mind, so that we can redeploy hardware with either OS and choose the migration strategy that works for us.

Whether we migrate to the new hardware then upgrade the OS or upgrade then migrate, a Windows 8 locked to UEFI would force us to migrate and upgrade simultaneously. I've just done exactly this for Solaris going to new SPARC hardware but then, jumping several major versions of Solaris with a payload of unchanged applications on board has never been a problem. I would not be so confident with Windows, or Linux (to a lesser extent).

Virtualisation in the server room is making this less critical. No doubt Microsoft will try to leverage their VM platform into this space, but all of the dominant platforms are Linux-based.

Nevertheless, in the server room UEFI would be a serious nuisance with little or no benefit. Servers tend to run continuously for long periods and live in secure environments. We like configuration flexibility. So IMO using UEFI to tie up both PC and server hardware will not happen and I suspect that Microsoft will need to at least retain a non-UEFI server edition of Windows.

And another thing: the PC leasing industry is a major buyer of hardware and relies on redeployment and resale and UEFI lock-in could hurt there.

Microsoft reminds me of a disobedient dog. They never learn and when THEY are doing something and you inter fear, then they are ready to bite your hand off. Microsoft tried to shutdown Apple and it was and epic fail, and since this is on a much larger scale I see no chance in hell for this to happen. Linux has too much of a strong hold in today's time to be just pushed around. I think its time that we do to Micro$oft like we do to any wild crazed dog .... Put them Down!

Mike K. wrote
'In the end I think this will be Windows loss, as it will just add to the frustration most people have with it.'

Windows loss? I wouldn't mind, but I don't think so. They have a lot of money to 'correct' things. They have always done it this way. And I think there will be much more money to come in for them.

The frustration will be here anyway.
Governments all over the world have the opinion computers like we know them now and the web as a whole is danger to society. The Twitters, the Facebooks etc. Wikileaks. The Linux-guys (mostly more capable with the options of a PC then Window-users). Governments are afraid of the revolutions in the world orchestrated by social network etc..

Wat we see now is the prelude of what what I hope will not come. In that kind of thinking there is certainly no desktop-Linux I suspect. Unless the world sees the benefit of the testing-platform of free and open software. (There's a lot of open software in any kind of Operating System and other kinds of software of course. Big parts of Windows are open software.)
And M$ will be at the side of governments, because there's a lot of money out there, although things are not so happy with economies now etc. So let's do something with UEFI of EFI... and tell them it is to ban the rootkit, very secure. Yes, we (M$) can tell, because Windows is not the strongest against all sorts of attack. So use our weakness to make us strong and fase some-one out... Very clever indeed. And it will never stop untill they have it all. At least that is their goal.

It will be M$, maybe Apple, Google, social networks. But M$ does think of something clever all the time.... So wait for the next $ moves...

Mike K. wrote
'In the end I think this will be Windows loss, as it will just add to the frustration most people have with it.'

Windows loss? I wouldn't mind, but I don't think so. They have a lot of money to 'correct' things. They have always done it this way. And I think there will be much more money to come in for them.

The frustration will be here anyway.
Governments all over the world have the opinion computers like we know them now and the web as a whole is danger to society. The Twitters, the Facebooks etc. Wikileaks. The Linux-guys (mostly more capable with the options of a PC then Window-users). Governments are afraid of the revolutions in the world orchestrated by social network etc..

Wat we see now is the prelude of what what I hope will not come. In that kind of thinking there is certainly no desktop-Linux I suspect. Unless the world sees the benefit of the testing-platform of free and open software. (There's a lot of open software in any kind of Operating System and other kinds of software of course. Big parts of Windows are open software.)
And M$ will be at the side of governments, because there's a lot of money out there, although things are not so happy with economies now etc. So let's do something with UEFI of EFI... and tell them it is to ban the rootkit, very secure. Yes, we (M$) can tell, because Windows is not the strongest against all sorts of attack. So use our weakness to make us strong and fase some-one out... Very clever indeed. And it will never stop untill they have it all. At least that is their goal.

It will be M$, maybe Apple, Google, social networks. But M$ does think of something clever all the time.... So wait for the next $ moves...

Why should the computer mfgs limit their options? I'm not an expert on UEFI, but I imagine the bulk of mfgs would - at worst - make this an all or nothing proposition. I would expect I could either disable UEFI altogether (thereby making M$ unbootable) or enable it and have a machine that only boots Windows 8. The former is fine by me. Besides, I can't remember the last time I booted a Windows OS on non-virtual hardware.

In the end I think this will be Windows loss, as it will just add to the frustration most people have with it.

I've stated many times if it becomes mandatory to use MicroSnot only I will throw all my computers out the door.
I did always relate this to a Obama style of government making a law like Russia/etc stating what you can use.
If it's going to be MicroSnot and even the government in collusion then I will take yet another path I never thought I would ever consider.

I will become a computer terrorist! "in the sense of software hacking!" "Read OS!" Actually any way I can find to break MicroSnot's OS!
I will dedicate the rest of my life to breaking every MicroSnot PC I can find on the planet.
I'll do everything I can to get software out that can break them and make them useless without a complete new license from MicroSnot.
We all know that when every few months you have to replace your OS at considerable cost from MS there will be a wall of resistance from consumers.
I also can envision where these consumers will even use physical terrorist tactics against MicroSoft.
Not me though, I'm way two old to get physical about it.
A large part of you seem to not know where MicroSnot came from in the first place.

In the late 1970's and early 80's, I was using COM-80 as my primary system and at the time was also running CPM-86 as a beta tester.
I still have the old hardware and it still works.
When IBM introduced the open frame type of PC mother boards in 1980 "thank you IBM, had it not been for you we probably wouldn't have anything to run Linux etc on anyway.
When IBM did this they included their OS, "IBM PC-DOS, Read MicroSnot OS by any other name is still MicroSnot."
As you young people like to say, "way back in the ninety's" etc.
Well way back in the Ninety's "as you young whipper snappers like to say"we were running several hundred MicroSnot desktops in our manufacturing network when Windows For Workgroups came out there was a major problem just keeping the damned things running all day.
Due to security I decided to try something that for what ever stupid reason I suspected would not work. Well had I been thinking correctly I should have known it would work.
I installed DR-DOS "the new name of CPM-86" after Novel acquired COM.
I then installed Windows For Work Groups on it.

Yup it worked!
As a matter of fact it worked so well I secretly installed it on many of our desktop machines. At first because they were being vandalized by a in house prankster.
I knew who it was but couldn't get hard evidence to put this guy out to pasture.
He would drop by a desk where the PC was left running and unlocked.
As if MicroSnot WFW desktop locking was worth anything!
He would do a attrib command to remove read only, hidden, system only from the kernel files.

After he deleted them he would leave and the very first time MS crashed and needed a complete reboot, "several time a day" you would be dead in the water.
Now having Windows For Workgroups installed on DR-DOS I could make the kernel files read only, hidden, sys just like before and then also make them password protected. So there ya go you little Jerk.
Just in case your lurking, I know/knew what you were dong John XXXX! You little jerk!
There were a few more benefits of using DR-DOS.
I could lock any files I wished.
Better yet I could lock directories also.
That was a great feature.
Another good feature was DR-DOS was network ready and made better servers than anything by MicroSnot. On top of that the time between total crashes was almost totally done away with. MS-DOS with WFW would either drop dead or crash in some manner several times a day. DR-DOS lived for days, even months without a crash.
Saved us thousands of man hours.

If Gary Kendall, who invented COM had worked with IBM, "he refused their offer, if I remember correctly" there would never have been a Bill Gates plagiarized CPM-86 called PC-DOS and MicroSnot DOS.
The computer world would have been a much better place. Thank you! Gary would have been the richest man on earth.
Not the little Snot Bill Gates.

Oh well. Wouda, shouda, couda.
Damned it!
Just a side thought. I had a MS-DOS game I played at that time. It would crash quite a bit. Oh my surprise, surprise!
With DR-DOS it almost never crashed!
Also for years I ran an old 386 system with DR-DOS as my home built security system doing muchmore than just simple security.
Of course I moved to Linux to do the job years ago.
Oh my I'm showing my age!

If hardware manufacturers begin locking BIOS options to prevent third-party applications and OSes, Microsoft had better buy them. It'd take a lot of time and money to convince the FTC that this behavior is NOT anticompetitive, and Microsoft has already been rocked on those grounds a number of times.

I could, on the other hand, see a huge benefit in a unified niche market for open-OS hardware, one which isn't very prevalent today.

I tend to agree with you, some people are already busy with that I think. I also notice that some distro's are starting to incorporate ARM again in their builds, mainly for the mobile market but the desktop is only a short step away if needed.

I wondered about the antitrust implications too. Although, Microsoft have only contributed to EUFI (along with Intel, amongst others). They could argue that they are not actually forcing anyone to use it, it will be the manufactures who implement it, and none of them have a monopoly. It's actually quite a clever tactic from that standpoint.

Obviously, with a 95% share of desktop operating systems, if Windows 8 requires the secure boot, every manufacturer will have to adhere in order to stay in business. I'm sure that the MS business experts have systematically run through every possible scenario like the computer in War Games and now have a pretty good idea of what's most likely to happen.

Microsoft are experts at "accidentally" driving competition out of business.

As I said in the article, Linux does very well as a platform for bringing old hardware back to life, and that might not be possible in the future.

Well, my point was this: the FTC and DOJ monitor anticompetitive behavior based on its impact on the customers. If Microsoft is able to dodge a suit, that would imply that the FTC or DOJ determined there is enough competitive quality in the market to bear the burden of the new technology and still have room for niche markets. If not, the FTC or DOJ will certainly have a good case for antitrust behavior and will have to forcibly separate Microsoft from imposing benefits or penalties on hardware manufacturers. They're not allowed to completely smother competition, accidental or not. It's de facto illegal behavior.

One potential outcome would be Microsoft taking the Apple approach, and having one or many dedicated hardware manufacturers with entirely proprietary design. I wonder about the implications of that, but it doesn't seem very useful, as it would limit Microsoft's market share. Generally, their best practice would be to stay the course and continue to make products salient to the entire market (minus Apple computers, of course).

Microsoft tried to do the very thing you just mentioned. Making the Microsoft PC. It looked a lot like the Apples using the PowerPC 604e processor. They were going to faze out support for Intel based systems. This was around mid to late 90s if I remember right. They quickly abandoned the idea when the FTC started making inquiries.

I really don't believe the hardware manufacturers are going to ram down the idea that all OSes must boot that way. I half expect the uefi code will be in firmware that can be updated at will and no doubt will be replaceable. Likely, we'll have a linux kernel based uefi bios soon after with hardware manufacturers taking no official position. Or as I stated in an earlier post, they'll make all the "features" optional and password protect them at best.

I really don't see the point to the UEFI. It seems that a BIOS password would be the best option, then the enterprise IT people could add a password when they setup the corporation's computers and not allow booting from any external devices. This approach would be fair and non monopolistic. It would be up to the corporate IT people to enforce enterprise restrictions (or not.) Most of this is already possible in most BIOS's today so what real good is UEFI unless it was designed to monopolize the desktop for Microsoft?

I can readily understand why a enterprise would want to keep people from booting non-approved software on their computers. Many companies that I consulted for did in fact have a BIOS password activated to protect against this very problem -- so why UEFI and "secure boot"? It seems to me that we already have a way to provide "secure boot" without UEFI.

UEFI does have one place that would be welcome. BIOS is just enough code to set up the hardware to boot and then transfer control to a boot loader according to boot sectors and partition tables. UEFI could be made into a functional mini OS. Cisco uses this with their switch and router technology. Their systems "BIOS" is really a minimal version of IOS burned permanently into the switch/router. This allows you to get back into the system and repair the normally running system no matter how badly corrupted it gets.

That's the only real advantage I can see with UEFI. But, if the hardware manufacturers want to really make things shine, they need to publish the specs for the system, supply the basic drivers and let the OS people make the firmware for their OS. Imagine having Linux in a minimal form running directly off of the motherboard. Your XYZ distro is blown. Today, you grab a rescue CD and work your way through it. Now, imagine if the rescue CD was also built into the motherboard and had enough to get you an ssh session and enough to fix partitions, raid containers, corrupted grub/lilo files, corrupted kernels, etc. And, do it all remotely.

There are a great deal of illegal Windows OS's running these days that's true. But if people are in a situation where they have to pay €99 to €190 for a OS and €330 to €640 for an office suite then almost all of them will chose for the free alternatives.

And what about the hardware life cycle? Apple still support there 10 year old G3's, Will MS do the same? I think they should because if they claim the hardware they should support it as long as it lives without the need for extra costs.

Hardware manufacturers recognize Linux because lately there are more problems installing Windows on new hardware than Linux. Some even have a Linux BIOS OS like ASUS.

And to the mr. black the CIO ...

Or buy a linux version that is compatible with secure boot, and get it approved in writing that you are authorised. (if you have a legitimate business need, I will approve it)

Are you sure you are on the right place here? Linux is not only for playing. Are you really a CIO? If you are then you still have a lot to learn ...

Apple does not support G3s. In terms of technical support for hardware, the very last G4-based Mac ever made (mid-2005 iBook G4) is still supported. And that's *G4s*, not *G3s*. In terms of OS compatibility, the previous version of OS X (10.6 Snow Leopard) didn't run on *any* PowerPC processors (not even G5s) and the current version (10.7 Lion) doesn't even support Rosetta emulation for PowerPC apps.

You have it backwards. Microsoft is known for preserving backwards compatibility for very long periods of time, and many of their customers still run XP. Apple is known for cutting ties with legacy. Examples include Apple II to Mac, 68k to PPC, the original iMac (USB instead of legacy ports, and no internal floppy drive) Mac OS Classic to Mac OS X, dropping internal dial-up modems, dropping FireWire from iPods, PPC to Intel, and a continuous stream of updates to non-included apps (iLife, iWork, pro apps, etc) which require newer and newer OS versions.

Linux is not the little project it was when I first started using it 20 some odd years ago. It's grown into a very powerful platform. It makes good business sense to allow a secure booting mechanism for those that want it. It also makes good business sense to make that optional. I really don't believe for one minute that hardware manufacturers are going say to us all, "sorry but you're not compliant." That would be very foolish on their part.

Microsoft's ideal system may kill off non-Microsoft OSes. But, that's their wish list, and it isn't shared by everyone making PCs. The smarter hardware manufacturers will make all that optional. They'll make it so you have to give a password to change options to secure them. The best ones will figure out how to let you secure any OS and not just Microsoft's if demand for that feature is there.

Like it or not, Linux, Windows, FreeBSD (and friends), and Apple's OS are here to stay. All have a strong following and each has its areas of specialty. The manufacturers who embrace one technology stand to put themselves into a niche market. The only company I know who still does that to some degree and is still in business is Apple. The things many of you fear was the old way of doing business: it's still practiced by some companies. They do it because they can still get away with it...for now. I'm talking about yearly license renewals and such.

No manufacturer of motherboards would be stupid enough to lock out OS choice.

I started using Linux (after 10 years of Unix) in the mid 90s, getting a (sort of) distro on 20 or so 3.5" floppies, then on a Yggdrasil CD, but I can't yet claim 20 years of Linux usage.

From Wikipedia:
Linux (commonly[where?] /ˈlɪnəks/ lin-əks,[5][6] also pronounced /ˈlɪnʊks/ lin-uuks[7][8][9]) is a computer operating system which is based on free and open source software. Although many different varieties of Linux exist, all are Unix-like and based on the Linux kernel, an operating system kernel created in 1992 by Linus Torvalds.[10]

One knock against Linux is the overwhelming set of choices, all of which are quite similar, and can be customized from one version to another (ex. all the deb versions can be customized to offer the benefits of the other deb distributions). This is too confusing for most users.
If the Linux community was required to present a semi-united front (deb, RPM, etc distributions working together) to put out tickets for the manufacturers this could remove some of the confusion. Look at what the united front of Android has done in the phone market.
I know the problem could come from open systems only in name only and have hardware locked so tight by the providers that you can't do anything with them.

A fair point. I think that unification strategies for Linux have their place. For example, I've long been an advocate of standardized national Linux distros to cut through some of the confusion caused by too much variety.

However, a lot of Linux's appeal comes from its informal nature and the fact that you can install it wherever and however you like.

Michael, in summarizing the situation I don't think you've stated it quite correctly.

The maker of the computer can install a certificate into the firmware on the motherboard, and consequently, only signed boot loaders (and possibly kernels and drivers and even applications) can then run on the machine. Software vendors such as Microsoft must send their code away to the manufacture of the computer to be signed so that it will run.

The manufacturer can install multiple certificates, and may (but doesn't have to) allow users to install their own certificates as well. The important questions are whether they allow you to turn off secure boot, whose certificates they do install, and whether they allow user-installed certs to be installed. If you can't turn off secure boot or install your own certificates you shouldn't buy a PC from that manufacturer because they're not actually selling you a general-purpose computer.

Microsoft provides a certificate which they use to sign their own code, and many manufacturers will probably include the MS cert as well as their own, thus you probably wont have to use the manufacturer's signed version of Windows 8, you ought to be able to install an off-the-shelf version directly from MS as well. Of course in the future Microsoft could also sign Windows 9 or 10 with a different certificate, thus preventing you from being able to upgrade this PC and forcing you to buy another one (the manufacturer might like that idea too, but it would be a good way for them to lose future customers).

Similarly the Linux distributors (Red Hat, SUSE, Canonical etc.) could also publish certificates for PC manufacturers to install, but doing so could cost the manufacturer more, so the low-cost suppliers may avoid doing that.

This also means that Linux wont boot on future PCs unless the motherboard manufacturer takes the time to certify each version of the boot loader and possibly each distro or even every kernel. It also seems that compliance with this system may be incompatible with licenses such as GPL 3.

I agree about the GPLv3 issue, but if your machine allows you to install your own certificates you would at least be able to install any missing distributions' certificates, or even use your own cert and sign the boot loader, distro or kernel yourself on installation (that could also get around the GPLv3 problem). It obviously isn't going to be as easy to install Linux on these kinds of machines as we're used to though, so anyone buying a PC with UEFI will need to be very careful and know what questions to ask the supplier.

I completely agree with the corporate stance. An enterprise has the right and duty to enforce the rules it has established regarding computers, OS, browsers etc.

Having said that I do not think that home PC owners should not have the right to install any OS etc. they want. Microsoft may own the enterprise, in more ways than one, but its monopolistic practices should not be forced on the general public. A company has the option and right to ask its PC vendor to enable "secure boot" and only allow a specific OS to be booted. However, when a PC is sold to an home user the "secure boot" option should be something that can be changed.

I run only Linux now that I am retired and I want the option to continue to run Linux (or whatever OS I want) on any new hardware I may purchase. The freedom to choose is why I don't own any Apple products.

If Microsoft is concerned with security why don't they try to educate their users. Microsoft has made no effort to help home users create a safe computing environment. Their product is insecure by design when installed, unlike Linux.

With just a little instruction Microsoft Windows can be made very secure if only Microsoft cared to tell home users how to do a proper install or how to operate the OS when it is properly installed. Microsoft Windows can be just as secure as Linux or even more secure if Microsoft would just take the time to educate users. They have failed to help home users for some reason and I can only think that that reason is nefarious.

When I saw what happened with KDE and next Gnome, I knew they could yet think of something else. Something complementary. Something real good...

They now surround and try to kill off Linux and next Apple. That's what they want to and what they so often did with smaller firms.
And next Windows will become for half-year periods and will not be cheap hiring.
Although it is a very weak system.
And then the tens of billions of M$ will roll into Redmond.
I now can see dollarsigns in their eyes.

I don't know if the rest of the world wants this.
Especially the EU which had even een browser-struggle with M$ (and what is a browser? Nothing compared to this....)

Lord Acton's advice of "power tends to corrupt, and absolute power corrupts absolutely" comes to mind here. This is just another example.

Fortunately, Gandhi gave us a model to say NO to this sort of thing, and it applies to us, too. Back in the day, he advocated the boycott of British textiles and promoted homespun cloth. It worked. We can do the same thing--build our own PC's, since the components are readily available. Due to IBM PC's costing $3,000 and up, people used to do this regularly. In high school, I was one of them, and a whoooole lot of us did--possibly even most of us. Anybody remember the huge magazine "Computer Shopper"?

"But not everyone has the technical acumen to build a PC!", some might say.

Oh, please! During World War II, you had nontechnical housewives building electronic components like capacitors from tin foil and wax paper because of wartime component shortage. There were manuals on how to do it, and THEY DID IT. The Internet makes knowledge of how to build a PC readily accessible, even to the poor (Internet cafes).

Modern PC's are totally easy to build, especially compared to when I got started. What used to take me about 3 hours back in the day now takes me less than 30 minutes, and that's for a full-blown, very well equipped mid-tower. I watched a video clip of an 11-year-old girl named Ann build a thin-client PC (basically, everything but the hard disk) in about 10 minutes. So please don't try to tell me it's "too hard" for people to learn.

Personal responsibility. If you choose to forego it, it's your own fault. If you embrace it, you win. That's how we won World War II, that's how totally untrained housewives made inductors and capacitors back in the day, and that's how we will stifle this problem. If the PC manufacturers start seeing decreased sales numbers after this Windows 8 UEFI nonsense, they will change their BIOSes. Anybody remember IBM and MicroChannel?

"Those who would give up liberty for a little temporary security deserve neither liberty nor security."

I can sympathise with your experiences of "back in the day". As a school boy during the 70's I was building shortwave radios, little transmitters and antennas and eventually got into amateur radio. I started with computers around 1980 with a clone of the TRS80 called the System 80 which I believe was marketed under different names in other countries. Until early this year I had assembled every IBM compatible I have ever owned from discarded parts. When my old P3 became unstable and I couldn't fix it, it was time to at last build a modern machine. Hence the Phenom II 1090T machine I'm using to write this. This should last me for many years to come. I grew up experimenting and building and believe that the only impediment should be your own ability.

Unfortunately, the average consumer isn't interested in anything technical. It doen't matter how easy it is they don't see the need. All they want to do is press a button and see the only operating system they have ever known (Windows) boot up. They don't care about what type of bios is used. They don't know about, don't want to know about and couldn't care less about free software. You and I care about these things but about 95% of the population doesn't. At my workplace, a government electronics workshop, several of the staff are Apple adherants. They think they're making some kind of free thinking statement by using Apple. All they are doing is rejecting one evil master and accepting another. When I tell them about the virtues of Linux they tell me that they don't want or need complete control of their hardware. They don't care about source code and don't want to modify their system. As long as everything is sanctioned by Apple they're happy. These are "technical" people.... Thankfully at least there are a couple of "dual booters" in the workshop. The rest are exclusively Windows users.

My point is that as long as the average user can boot Windows on a piece of hardware bought at a department store Microsoft has nothing to worry about. No one other than people like us will give two hoots about whether Linux can be booted and as I have learnt over the years we comprise at most 5% of the population. It will all come down to money. Microsoft has billions of dollars and would conceivabley bribe motherboard manufacturers to include the "Windows only" bios. Only time will tell where this marketing experiment will lead.

Sir,
You are showing your age sir! :>)
Then I'm older than you, "I assume by some of your statements."
When you were doing this in High School I was in my mid thirties.
I etched and built my mother boards and hand installed all the caps, inductors, etc.
Before that I used a S-100 buss system with plug in cards.
Any way to make this a little shorter.

Your point is very well stated and I agree.
I wish I was capable of writing as well as you do sir.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.